Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Zero-Day Bug Fixed by Microsoft in December Patch Tuesday

Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.

Microsoft has patched a zero-day vulnerability actively being used against older versions of the Windows operating system, as part of its December Patch Tuesday updates.

According to the software giant, the vulnerability (CVE-2018-8611) is an elevation-of-privilege (EoP) bug that affects Windows 7 through Server 2019. It has a CVSS rating of seven, classifying it as a high-severity flaw.

The EoP is triggered when the Windows kernel fails to properly handle objects in memory, according to Microsoft. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” wrote Microsoft in its December Patch Tuesday bulletin.

However, “the attacker would first have to log onto the system then run a specially crafted application to take control of the affected system,” said Chris Goettl, director of product management, security, Ivanti.

One of these (CVE-2018-8517) is noteworthy because it was publicly known ahead of the scheduled update released Tuesday, but not exploited, according to the security bulletin. The flaw is a .NET framework denial-of-service vulnerability.

“A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Framework application,” wrote Microsoft. “The vulnerability can be exploited remotely, without authentication.”

Five of the nine critical vulnerabilities are tied to Microsoft’s Chakra scripting engine, a JavaScript engine developed for the Edge web browser. Each of the flaws are memory-corruption bugs that would allow an adversary to execute arbitrary code during a user session, elevate user rights and ultimately take control of the affected system.

“Browser and scripting engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” advised Qualys in its Patch Tuesday commentary. “This includes multi-user servers that are used as remote desktops for users. Out of the 9 critical vulnerabilities, 6 can be exploited through browsers.”

“This patch is interesting for a couple of different reasons. First, newer functionalities like text-to-speech have a somewhat unknown attack surface,” wrote Dustin Childs, a certified information systems security professional with Zero Day Initiative, in an analysis.

“This isn’t the first text-to-speech related bug – Android had one a few years ago – but it’s certainly not often seen,” he added. “Secondly, Microsoft doesn’t state a sample exploit scenario, but since generating speech requires an HTTP POST request to the speech service, it’s possible this could be remotely accessible if your application is network facing. Either way, if you employ text-to-speech, don’t overlook this patch.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.